Data Breaches: New Year, Old Story

A new year and an old story: Americans fall prey to data theft. A new
year and another old story: Congress does nothing about it, not even
requiring companies to inform consumers of the breaches.

According to the Privacy Rights Clearinghouse, 2005 saw more than 100
reported breaches involving the personal data of more than 50 million
Americans. Most of the breaches occurred after Congress got riled at
ChoicePoint in February and swore action to protect consumers.

This year, although barely two weeks old, ID thieves are already off to a
rousing start. Breaches have already been reported at the University of
Pittsburgh Medical Center, H&R Block and the Atlantis hotel in the Bahamas.

In the absence of action by Congress, the Atlantis breach represents a new,
more ominous threat: data breaches on foreign soil. While details of the
breach are still sketchy, more than 50,000 personal records are in ID
thieves’ hands, including names, addresses, credit card numbers, driver’s
license numbers and bank account data.

“It was frightening enough for American consumers when major corporate
database breaches here at home started exposing the potential vulnerability
of their personal information,” said Paul Kurtz, executive director of the
Cyber Security Industry Alliance (CSIA).

With the Atlantis breach, Kurtz said, “It’s all the more important that we
get our own house in order and move on to improving international law
enforcement cooperation.”

To Atlantis’ credit, the hotel is informing the affected customers of the
breach, although it is under no legal obligation to do so. Nor are Bahamian
law enforcement officials bound under any international laws to cooperate
with the United States.

It doesn’t have to be that way.

After all, the United States is a signatory to the Convention on Cybercrime, the first and only international,
multilateral treaty aimed at global cooperation between law enforcement
officials in the investigation and prosecution of computer network crimes.

The U.S. signed the treaty in late 2001. But there is one small problem: four years later, the U.S. Senate has yet to ratify it.

“By providing for broad international cooperation in the form of extradition
and mutual legal assistance, the Cybercrime Convention would remove or
minimize legal obstacles to international cooperation that delay or endanger
U.S. investigations and prosecutions of computer-related crime,” President
Bush wrote to
the Senate in 2003.

The treaty requires the signatories to criminalize conduct that is committed
through, against or related to computer systems, including offenses against
the “confidentiality, integrity and availability” of computer data and

In addition, the treaty calls for countries to outlaw conduct that would
otherwise be criminal outside the cyber world (forgery, fraud, child
pornography and certain copyright-related offenses).

“[The treaty] would help deny ‘safe havens’ to criminals, including
terrorists, who can cause damage to U.S. interests from abroad using
computer systems,” Bush wrote.

Late last year, the Senate Foreign Relations Committee finally gave its
approval, four full years later, to the treaty, but a full Senate vote is
still nowhere in sight.

Of course, this is the same Senate that piously
rails against U.S. data breaches, holds high-profile hearings that play well
back home and, ultimately, does nothing.

“We can’t let the criminals get any farther ahead of the cops than they
already are,” Kurtz said.


News Around the Web